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Abstract. In this paper, we propose a guess and determine attack 
against some variants of the 7r-Cipher family of authenticated ciphers. This 
family of ciphers is a second-round candidate of the CAESAR competition. 

More precisely, we show a key recovery attack with time complexity little 
higher than 2 4 ", and low data complexity, against variants of the cipher 
with u>-bit words, when the internal permutation is reduced to 2.5 rounds. 

In particular, this gives an attack with time complexity 2' 2 against the 
variant 7rl6-Cipher096 (using 16-bit words) reduced to 2.5 rounds, while 
the authors claim 96 bits of security with 3 rounds in their second-round 
submission. Therefore, the security margin for this variant of 7r-Cipher is 
very limited. 

The attack can also be applied to lightweight variants that are not included 
in the CAESAR proposal, and use only two rounds. The lightweight 
variants 7rl6-Cipher096 and 7rl6-CipheiT28 claim 96 bits and 128 bits 
of security respectively, but our attack can break the full 2 rounds with 
complexity 2' 2 . 

Finally, the attack can be applied to reduced versions of two more variants 
of 7r-Cipher that were proposed in the first-round submission with 4 
rounds: 7rl6-Cipherl28 (using 16-bit words) and 7r32-Cipher256 (using 
32-bit words). The attack on 2.5 rounds has complexity 2' 2 and 2 137 
respectively, while the security claim for 4 rounds are 128 bits and 256 
bits of security. 

Keywords. Authenticated Encryption, 7r-Cipher, CAESAR Competi¬ 
tion, Guess and Determine, Cryptanalysis. 
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1 Introduction 


Authenticated encryption is a rapidly growing field of cryptography that has wide 
applications in diverse industries. Even though some efforts over the past few 
years have been devoted to the design and analysis of authenticated encryption 
schemes, a well-studied design with the desirable level of security and performance 
is not yet available. Lack of secure and efficient authenticated ciphers led to 
devastating attacks in extensive applications like TLS and OpenSSL [4,1], To 
address this challenge, an international contest called CAESAR, funded by the 
NIST, plans to hold a multi-year effort to identify a promising new portfolio of 
authenticated ciphers, suitable for widespread applications [3]. The CAESAR 
competition, launched in 2014, follows the long tradition of contests in secret 
key cryptography and aims at selecting a portfolio of authenticated ciphers that 
offer perceptible advantages over AES-GCM and that can be recommended for 
widespread use. There were 57 proposals accepted for the first round of the 
competition and recently, 30 ciphers among these proposals were selected to 
continue in the second round. 

The 7r-Cipher [7] family of authenticated ciphers, designed by Gligoroski et ah, 
is one of the 30 second-round candidates. It is a special case of encrypt-then-MAC 
designs and makes use, as all such CAESAR candidates, of a nonce and process 
associated data. 

One of the most important design goals of this family of cryptographic 
functions is the possibility of parallel computations. Other goals, as claimed by 
the designers, are a better security than AES-GCM in the case of a nonce reuse, 
and better resistance for producing second-preinrage tags. Although the cipher’s 
mode of operation is inspired by the sponge construction [2], and is based on a 
permutation called the 7r-function, it has been largely modified by Gligoroski et 
al. in order to permit parallel computations. 

In the initial submission, the authors proposed six different variants of the 
cipher, where each variant offered a particular level of security and used words of 
a particular size. More precisely, the level of targeted security, corresponding to 
the size of the secret key, ranges from 96 to 256 bits, and each variant uses words 
of 16, 32, or 64 bits. For the second round of the competition, only four variants 
were kept. Another decision taken by the designers for the second-round version 
of the cipher, was to decrease the number of rounds of the 7r-function from 4 to 3. 
In addition, at NIST’s lightweight cryptography workshop, a lightweight version 
of the 7r-Cipher [10] was proposed. The lightweight proposal is composed of two 
variants, both using 16-bit words. Since lightweight ciphers must be as small and 
power-efficient as possible, the number of rounds in the internal permutation 
is further reduced to 2 in the lightweight version. An overview of the different 
variants is given in Table 1. 


Our results. In this work, we present a key recovery attack against several 
variants of the 7r-Cipher, when the 7r-function is reduced to 2.5 rounds. This 
shows that the decision to decrease the number of rounds was precarious. Indeed, 
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the lightweight version is completely broken, and the affected variant that is still 
in the second round submission offers only very limited security margin. 

More precisely, the time complexity of our attack is 2' 2 for the 16-bit word 
variants and 2 13 ' for the 32-bit word variants, while the data complexity remains 
very low (a single known plaintext with at least 256 blocks for 16-bit word 
variants, and 512 blocks for the 32-bit word variants). The attack is faster than 
exhaustive search of the key for the following variants (reduced to 2.5 rounds): 

7 rl 6 -Cipher 096 with 16-bit words and 96-bit key. 

This variant was proposed with 4 rounds in version 1, 3 rounds in version 2, 
and 2 rounds in the lightweight version. 

7 rl 6 -Cipherl 28 with 16-bit words and 128-bit key. 

This variant was proposed with 4 rounds in version 1, and 2 rounds in the 
lightweight version. 

7 r 32 -Cipher 256 with 32-bit words and 256-bit key. 

This variant was proposed with 4 rounds in version 1. 

Our cryptanalysis is a guess and determine attack exploiting a weakness in 
the high-level structure of the 7r-function. Indeed, we show that by knowing two 
out of the four output chunks of the 7r-function and by guessing a third one, we 
can easily recover one of the four input chunks of the permutation. This permits 
us to recover the internal state and gives us the possibility to recover the secret 
key by some very simple operations. Note that our attacks work in the case 
when no secret message number is processed. However, the attacks can be easily 
extended in cases when a secret message number is used, if one supposes that 
the secret message number is known together with the plaintext. 

Cryptographic algorithms should be designed with enough security margin 
to thwart classical attacks but also to resist to new and unknown vulnerabili¬ 
ties. Surplus security cannot be obtained for free, since it has impacts on the 
performance of the ciphers. In particular, due to a number of important limita¬ 
tions in the resources of pervasive devices, it is of utmost importance to analyze 
lightweight cryptographic designs that allow reduction of superfluous margins. 
Our attack shows that the security margin offered by these three members of 
the 7r-Cipher family is too small and that these variants are much less secure 
than expected. This kind of analysis is very important for the progress of the 
CAESAR competition, as the final portfolio of the selected authenticated ciphers 
should offer a high level of security. Thus, evaluating the security of the remaining 
candidates, leads to a more clear overview of which candidates are robust and 
which should be eliminated. 


Outline. The rest of the paper is organised as follows. In Section 2 we briefly 
provide the specifications of 7r-Cipher. Then, we present our attack on 2.5 round 
7r-Cipher in Section 3 and we discuss how to mount a full-round attack on the 
lightweight version of 7r-Cipher in Section 4. Finally, we perform a complexity 
analysis of our attacks in Section 5 and conclude. 
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2 7r-Cipher Specifications 


There exist different variants of 7r-Cipher, depending on the bit-length of the 
words used and the expected level of security expressed in bits. Therefore, itlo- 
Ciphern represents a variant defined with w-bit words and offering n-bit security. 
The six variants of 7r-Cipher submitted to the first round of the competition, 
together with the corresponding parameters, are summarized in Table 1. The 
first four rows in the table represent the only four variants conserved for the 
second round. Furthermore, the two variants of the recently presented lightweight 
7T-Cipher proposal [10], are described in the last two rows of Table 1. 


Table 1 . 7r-Cipher variants. The first four rows represent the four variants kept for 
the second round of the CAESAR competition. The last two rows describe the two 
lightweight variants proposed in [10]. PMN and SAIN are the two parts of the nonce 
and stand for Public Message Number and Secret Message Number respectively. All the 
parameters are given in bits. 

For variants both in version 1 and 2, there are 4 rounds in vl and 3 rounds in v2. 


Version 

Variant 

Word 
size uj 

PMN 

SMN 

Rate 

r 

Tag 
size t 

Key 

length 

Rounds 


7rl6-Cipher096 

16 

32 

0 or 128 

128 

128 

96 

3 

vl & v2 

7r32-Cipherl28 

32 

128 

0 or 256 

256 

256 

128 

3 

7r64-Cipherl28 

64 

128 

0 or 512 

512 

512 

128 

3 


7r64-Cipher256 

64 

128 

0 or 512 

512 

512 

256 

3 

vl 

7rl6-Cipherl28 

16 

32 

0 or 128 

128 

128 

128 

4 

7r32-Cipher256 

32 

128 

0 or 256 

256 

256 

256 

4 

Lightweight 

7rl6-Cipher096 

16 

32 

0 or 128 

128 

128 

96 

2 

7rl6-Cipherl28 

16 

32 

0 or 128 

128 

128 

128 

2 


2.1 Authenticated Encryption 

The encryption/authentication function accepts as input a triplet (K, AD, M), 
where K is a secret key, AD is a string of associated data of a blocks, and M is a 
message composed of m blocks of size r bits each. The main building block of the 
authenticated encryption procedure is a construction that the authors call the 
e-triplex component and which is depicted in Figure 1. The encryption procedure 
starts by initializing the internal state with the string K\\PMN\\10*, where the 
number of 0’s appended should be such that the length of the concatenated 
string equals the size of the state of the 7r-function. This internal state is then 
updated by applying the 7r-function. The result is called the Common Internal 
State (CIS) and is used as the initial state for the first parallel computations: 

CIS p- 7t(A||PMA||10*). 
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ciphertext 

plaintext 


tag 

Fig. 1 . The e-triplex component of 7r-Cipher. 


By following the same notation as in the sponge construction, we can see 
each internal state, say IS, as the concatenation of a rate part and a capac¬ 
ity part: IS = I S capac it y \\I S ra te- In particular, each internal state IS of the 
procedure is the concatenation of four 4w-bit chunks, that we will denote 
as IS = /Si||/S' 2 ||/S' 3 ||LS' 4 - From the specification of 7 r-Ciplier, the capacity 
part of the state is IS cap acity = IS 2 WIS 4 , and the rate part of the state is 
I S ra te = ASi | I-I/S 3 . The counter, denoted by ctr, is then initialized by extracting 
the first 64 bits of CIS capa city This procedure is depicted at the top left part of 
Figure 2. 

The next step in the authenticated encryption procedure is the process of the 
associated data. The associated data AD is cut into equal-sized blocks: AD = 
AD[ | ... ||AD a . All blocks are treated in parallel by the e-triplex component. 
The input to the e-triplex component for the block i is CIS, ctr + i and ADi, 
and the output is an intermediate tag t\. The way that each block of associated 
data is processed can be observed in Figure 2. At the end of this procedure a tag 
for the associated data T' is computed as 

T' = t\ • • • EBrf t' a , 

where ES^ is a component-wise addition of vectors of dimension d, where d is 
the number of cc-bit words in the rate part (d = 8 for all proposed variants of 
7 r-Ciplrer). Finally, the internal state is updated in the following way to create a 
new internal state that we will denote by CIS 1 : 

CIS' n(C IScapacity \\C I S ra te © T')- 

After this first phase, the secret message number SAIN, if any, is processed. 
This procedure is depicted in Figure 2 and described by the following expressions: 

IS <— n(C I S' capacity \\C I S' rate © (ctr + a + 1)), 

CIS" 4— 7r(/ S capac ity\\ISrate © SAIN). 
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Fig. 2. n-Cipher encryption structure. 

The new state CIS" will be used as the common state for the parallel process of 
the message blocks. The tag produced during this phase is 

T" = T' t 0 , 

where to is the output tag of the last call to the e-triplex component after 
absorbing the SMN. If no secret message number is used, then the above steps 
are ignored. The authenticated encryption procedure without SMN is depicted 
in Figure 4. 

In the last phase, the message blocks are treated. As for the associated data, 
the message M is cut into blocks M = M\\ \ ... || M m and each block is processed 
in parallel by the e-triplex construction. Note that the length of each message 
block, as well as of each ciphertext block is equal to the bitrate, i.e. r bits (e.g. 
r = 128 in the case of 7rl6-Cipher096). A unique block counter is associated 
with each message block. The counter for the message block Mj is computed as 
ctr + a + j if the secret message number is empty, and as ctr + a + 1 + j otherwise. 
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During encryption, each e-triplex component takes as input the common state 
CIS ", the counter ctr and a message block Mj and outputs a pair (Cj,tj), where 
Cj is a ciphertext block and tj is a partial tag. The final tag T is computed as 

T = T" EB d t\ ■ ■ ■ ESd t m . 


2.2 The 7r-function 

The core of 7r-Cipher is an ARX-based permutation called the 7r-function. This 
permutation somehow uses similar operations as the hash function Edon-R [8]. 
We denote the size of the permutation in bits by b and the number of rounds 
by R. For the first version of the cipher, R was fixed to 4, however the authors 
decided to reduce this number to 3 for the second round of the competition. 
The internal state (IS) of the 7r-function can be seen as a concatenation of four 
chunks of four words, so that 6 = 4x4xw bits. The 7r-function is mainly based 
on an operation that will be denoted by ©. However, as our attack does not 
take advantage of the internal structure of © we omit here its description. The 
only important thing to know about this operation in order to understand the 
attack is that it is a 2-input 1-output operation (in Figure 3, the two outputs of 
a © operation are equal) that is invertible with respect to each of its inputs. Its 
full specifications can be found in [7]. A round of the 7r-function is depicted in 
Figure 3, where Si and S 2 are constants. 



Fig. 3. One round of the 7r-function. 


2.3 Previous Cryptanalysis Results 

In [6], Fuhr and Leurent showed that forgeries can be computed for the first 
round variants of 7r-Cipher due to a weakness in the padding algorithm. More 
precisely, they noticed that the padding used for both the associated data and 
the plaintext was not injective. This observation permitted to mount a forgery 
attack by producing valid tags and forced the designers to modify the padding 
rule for the second round of the competition. 
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One of the advertised features of 7r-Ciplrer is tag second-preimage resistance, 
meaning that it should be hard to generate a message with a given tag, even for 
the legitimate key holder. However, Leurent demonstrated in [9] that practical tag 
second-preimage attacks could be mounted against 7r-Cipher by using Wagner’s 
generalized birthday attack. More specifically, Leurent showed that tag second- 
preimages can be computed with optimal complexities ranging from 2 22 to 2 45 
depending on the word size to. 

The best attack mentioned by the designers [7, Section 3.3] is a distinguisher 
on reduced versions with 1 round, using a guess and determine technique. Their 
attack has complexity about 2 4 “ (time and memory); in particular, it is applicable 
to the same variants as our attack. Our attack actually uses similar ideas, but 
reaches 2.5 rounds, and a full key recovery. 


3 Key Recovery Attack against 2.5-round 7r-Cipher 

We describe in this section our key recovery attack against reduced-round variants 
of 7r-Cipher when no secret message number (SMN) is used. The authenticated- 
encryption procedure for this case is described in Figure 4. Note that if no SMN 
is used then the intermediate tags T' and T" are equal and that the state CIS" 
of Figure 2 is equal to the state CIS' . In order to be consistent with the notation 
of Section 2, we will keep denoting the common state for processing the message 
blocks as CIS" even if this is exactly the same as CIS' in the empty SMN case. 

We consider an m-block message M = Mi|| • • • \ \M m and an a-block string 
of associated data, with the corresponding ciphertext C = Ci|| • • • \\C m . The 
message should have at least 16w blocks, i.e. 256 blocks when oj = 16, and 512 
blocks when w = 32. 

We denote the input and output states of the first 7r-function for processing 
the message block M* by P = li\\P 2 \\I l 3 \\li and (I = 0\\\O l 2 \\Oi\\Oi respectively, 
where each chunk /*, O), for 1 < j < 4, is of size 4 ui bits. 

In our attack, we deploy a guess and determine technique for recovering the 
secret key for three variants of the 7r-Cipher family, where the 7r-function is 
reduced to 2.5 rounds. Our attack targets the first 7r-function of the message 
processing phase, for 16w consecutive blocks of plaintext. We provide now the 
main observations that the attack takes advantage of. 


3.1 Observations on the 7r-Cipher Structure 

The first observation concerns the nature of the inner operation ©, that takes 
two chunks of size 4 ui bits as input and outputs a single chunk of the same size. 
This operation is the core of the 7r-function. It has the property, that when fixing 
one of the two input chunks to a constant and letting the other chunk take all 
possible values, then the output chunk equally takes all possible values (it defines 
a quasi-group). 



K\\PMN\\10* 



Fig. 4. 7r-cipher encryption procedure when no secret message number is used. 

Observation 1 Both ©(a,.) and ©(., b) are invertible for all a,b € Fj" and if 
©(a, b) = c, then the knowledge of any two chunks among a, b and c can determine 
the third one. 

The next observation is in the core of the guess and determine technique and 
exploits a weakness in the high-level structure of the 7 r-function. It shows, that 
when the function is reduced to 2.5 rounds, the knowledge of 3 output chunks 
of 4 words each, can completely determine an input chunk. This observation 
demonstrates that the inverse 7r-function has a limited diffusion when the number 
of rounds is reduced to 2.5, as we can see that in this case an input word does 
not depend on all the output words. 

Observation 2 Let, I = IiWhWhWh and O = Oi11 02 11 03 11 04 be the input and 
the output state respectively of the n-function reduced to 2.5 rounds. Then the 
knowledge of O%, O 3 and a guess of O 2 can determine I\. 
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Proof. This claim can be proven by the following guess and determine steps 
described below. The pictorial description of the steps is given in Figure 5. In 
the figure the green boxes denote the determined chunks D i: 1 < i < 9, the 
orange boxes denote the guessed chunk i.e. 0 2 and the chunks denoted by K 1; K 2 
corresponding to 0\ and O 3 respectively are known. At the end of this procedure, 
one computes Dg which corresponds exactly to I\. Note that each step of the 
below procedure makes use of Observation 1. 


Si and G to determine D\ and D 2 . 
and G to determine D 3 . 
and D 2 to determine D 4 . 

Use D 2 and D 3 to determine D 3 and Z) 4 , Si to determine D 6 . 
to determine D-j. 

?7 to determine D s . 

?i to determine Dg. 


1 . 

Use 

I<i 

, Si 

2 . 

Use 

k 2 

and 

3. 

Use 

D\ 

and 

4. 

Use 

d 2 

and 

5. 

Use 

D a 

and 

6 . 

Use 

d 6 

and 

7. 

Use 

D s 

and 


□ 



Fig. 5. Guess and determine steps for the first 7r-function. 


The last observation aims at showing that the knowledge of the input state of 
the 7r-function for several message blocks can be used to determine the common 
state CIS”. 
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Observation 3 The message processing phase uses the same common internal 
state, CIS" = CIS"\\CIS '.2 \\CISf\\CIS", to process each of the message blocks 
Mi, 1 < i < to. Then, the input to the first n-function is 1 1 = 11-? 2 11-^ 3 11 -^4 = 
CIS'f © (ctr + a + i)\\CIS'f\\CIS'f\\CIS'l for each block. 

3.2 High Level Description of the Attack 

This section provides a high level description of our attack. As already mentioned, 
the attack requires a single known plaintext message, with at least 16w blocks. 
The attack can be seen as the succession of the five main steps that we describe 
below: 

1. Guess and determine step. In this first part of the attack, we target the 
first computation of the 7 r-function in the message processing part. Two of 
the output chunks are known to the attacker as they only depend on the 
plaintext and ciphertext blocks (i.e. 0\\\0\ = M, © Cf). Then by guessing a 
third output chunk, namely O l 2 , we are able to determine one input chunk, 
I{. We repeat this procedure for all message blocks. This step is described 
in more details in Subsection 3.3. At the end of this part we are left with 
a collection of lists of candidates for one input chunk. We recover the right 
value by treating the lists in the way described in the next step. 

2. Computation of the intersection of the created lists. During this phase, detailed 
in Subsection 3.4, we show how to treat the created lists in order to recover 
the right value of the common part for the first input chunk of the 7r-function, 
or more precisely, of the value CIS" © ( ctr + a) from Observation 3. 

3. Recovery of the intermediate P state. This step shows the procedure to 
recover a list of candidates for the state 1 1 and is described by the Recover-IS 
Algorithm in Subsection 3.5. 

4. Recovery of the common internal state CIS. We show here how one can 
compute the state CIS, once the intermediate state J 1 has been completely 
identified. This phase is described by the Recover-CIS Algorithm in Subsec¬ 
tion 3.6. 

5. Computation of the secret key. This phase is pretty straightforward once 
we have recovered CIS, since, as already mentioned in Section 2.1, CIS = 
n(K\\PMN\\10*) and 7 r-function is a known permutation. 

The high level description of the attack is furnished in Algorithm 1. 


3.3 Guess and determine 

This section describes the guess and determine phase, which recovers the input 
chunk I\ of the first 7r-function for the i th block for the plaintext-ciphertext pair 
(M = Mi|| ■■■ Mi - ■ ■ || M m , C = Gi|| • • • Ci... ||G m ). Note that we can compute 
O 1 IIO 3 = Mi © Ci. Then by making a guess on the value of 0\, we can compute 
I\ independently of 0\, following Observation 2. In particular, we can compute 
it as h = tt~ 1 ( 0 1 HO 2 IIO 3 II ( 0 )) 
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Algorithm 1 Overview of the attack. 

Input: 1 Known Plaintext-Ciphertext Pair (M = Mi\\ ■ ■ ■ ||Mi6 W ,C = Ci|| • • • ||Ci6w) 
Output: Master Key K 
1: for all 1 < i < 16oj do 

2: Ci <— Guess-Determine(M;, Ci) > Subsection 3.3 

3: for all 1 < j < 8w do 

4: 5 <— n 0 < fc < 8w © & > Subsection 3.4 

5: if 5 p 0 then 

6: £o <— Recover-IS(Mj,<7,-, 0,5) > Subsection 3.5 

7: £'i <- Recover-IS(Mj+i, C j+ i, 1,5) 

8 : P,P +t o x | / 2 III 3 III 4 = J 2 IIJ 3 IIJ 4 } t> Single value expected 

9: for all ctr, s.t. ctr + a + j = 0 mod 8cj do > Subsection 3.6 

10: CIS” <- P ® (ctr + a + j) 

11: CIS <- Recover-CIS(CIS") 

12: if ctr = first 64 bits of CIS cap acity then 

13: K\\PMN\\10* <- 7r- 1 (C/5) 

14: return A' 


We compute all candidates for I[ corresponding to the 2 4aJ choices of O l 2 , 
and store them in a list Ci. The guess and determine phase is described in 
Algorithm 2. 

Note that there will be less than 2 4w different values of I\ in a list Ci as the 
7r-function is a permutation of the four chunks and not a permutation from one 
chunk (Oj) to one chunk (/J). In the following, we assume that the function 
from O l 2 to I\ behaves as a random function, so that the expected size of Ci is 
(1 — e _1 ) x 2 4 “ (see [5, Theorem 2]). In the next part, we describe how to compute 
the intersection and filter out the correct value of I] for some 1 < i < 16 ui. 


Algorithm 2 Build the list of candidates for the first input chunk of the first 

7r-function. _ 

Input: Plaintext-ciphertext block M, C 
Output: List C of possible candidates for p 
1: function Guess-Determine(M, C) 

2: C <- 0 

3: 0i||0 3 M ® C 

4: for all O 2 do 

5: p <— 7 T —1 (Oi 11 02 11 03 1|(0)) > Following Observation 2 

6: t(-£U{Ii} 

7: return C 


3.4 Intersecting the lists 

In this phase, we compare the list of candidates for I\ for each message block, 
using the fact that they are all derived from a common state CIS”. More precisely, 
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the first input chunk to the first 7r-function of each block is computed as: 

I{ = CIS" ® (ctr + a + i), for 1 < i < 16 u>. 

By construction of the lists £*, we have that: 

CIS" ® (ctr + a + i) G Ci, for 1 < i < 16w. 

Let j G {1,..., 8w} be such that ctr + a + j = 0 mod 8w (i.e. j = —( ctr + 
a) mod 8w). In other words, with ui = 16, j is the first message block such that 
the 7 least significant bits of ctr + a + j are equal to zero (and similarly, 8 bits 
when oo = 32). This implies: 

(ctr + a + j) + k = (ctr + a + j) ® fc 
CISi ® (ctr + a + j) ® k € Hj+k 
CIS 1 ® (ctr ®u®j) G Hj+k ® A: 

Thus, 

8w-l 

CIS" ® (ctr + a + j) G P'1 (Cj+k ® k). 

k =0 

We will compute this intersection for all guesses of j G {1,..., 8w}. We are 
interested now in determining the size of the intersection of the 8w lists. Each 
list has about (1 — e~ 1 )2 4uj elements. If the guess of j is wrong, we assume that 
the lists are independent; an element is a part of all the 8w lists with probability 
(1 — e -1 ) 8 “. As there is a total of 2 4 “ elements, the probability that there is no 
element in the intersection is (1 — (1 — e _1 ) 8 “) 2 . This probability is very close 

to one: 

(l - (1 - e- 1 ) 8 ")^ = exp (2 4w ln(l - (l - e" 1 )^)) 

> 1 + 2 4 - ln(l— (1 —e- 1 ) 81 ") 

« i — 2 4uj (l — e -1 ) 8 ^ 
w 1 - 0.9 8 “ 

In particular, it is about 1 — 2 -20 for ur = 16. 

On the contrary, if the guess is right, the intersection contains 1 element. 
With high probability, the test at line 5 of Algorithm 1 will succeed only for the 
correct value of j, and the corresponding set S will contain a single value. 

3.5 Recovering the intermediate state 

So far, we have recovered the value CIS" ® ctr + a + j, that is to say the first 
chunk If of the input of the first 7r-function. In addition, the least significant bits 
of ctr + a + j are known to be zero, so that we can compute l{ +k = l{ ® k for 
0 < k < 8 uj (adjusting the effect of the counter). 


for 0 < k < 8 uj 
for 0 < k < 8 uj 
for 0 < fc < 8w 
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From this, we can build a small list of candidates for any 0 J 2 +k . We just have 
to try all 2 4u values 0 J 2 +k , recompute l{ +k , and compare the result to the known 
value. We know that there will be at least one remaining value, and there can be 
a few false positives. 

Now we make a guess of 0^ +fc and use the invertibility of the 7r-function to 
built a list C' k of all potential values of the full input P +k of the permutation. 
This second phase of guess and determine through the 7r-function is demonstrated 
in Figure 6. The list C' k contains about 2 4uJ values. This step is described in 
Algorithm 3. 

In order to identify the correct value in the list, we build the lists £' 0 and £[, 
and we use the way P and P +1 are derived from CIS". In particular, we have 
P 2 \\H 11-^4 = ^ 2 +1 |l^ 3 +1 ||^ 4 +1 - This allows us to recover the correct value P and 
I j+l . 



Fig. 6. Guessing O 4 after h lias been determined 


3.6 Recovering the Common Internal State CIS 

In this section we show how to recover the common internal states CIS" and 
CIS. We remind once again, that the state CIS' is equal to CIS". From the 
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Algorithm 3 Build the list of candidates for the full input of the first 7r-function, 
knowing the first input chunk. 

Input: Plaintext-ciphertext block M, C; index fc; list of I\ candidates S 
Output: List € of candidates for I 2 11 Li 11 Li 
1: function Recover-IS(AL, C, k, S) 

2: €.4-0 

3: 0i||0 3 <- M®C 

4: for all O 2 do 

5: /^7r- 1 (Oi||O2||O 3 |K0}) 

6: if Ji © k £ S then t> Only one candidate expected 

7: for all O 4 do 

8: /^ 7 r- 1 ( 0 i|| 0 2 || 0 3 || 04 ) 

9: € <— €U {hWhWh} 

10: return € 


previous sections, the input state of the first 7r-function for message block j, P 
has been recovered. Note that 

P = IlWHWWl = CIS"®(ctr + a + j)\\CIS"\\CIS"\\CISl 

By making a guess for the value of the counter ctr, we can compute the value of 
CIS" which equals CIS'. 

The next step is to retrieve the tag T” and therefore T' (since both tags are 
equal) by computing T" = T ti B^ • • • B^ where each tag U, 1 < i < 16w 
can be recovered from the knowledge of CIS", ctr and the message blocks. 

Once this step is done, the recovery of the common internal state CIS is 
immediate, as one can compute it as CIS = tt~ 1 (CIS') ® T'. Note that, at this 
point, we can easily verify if the guess of ctr was correct, since ctr corresponds to 
64 bits extracted directly from the initial state CIS (as described in Section 2.1). 
The above procedure is described by Algorithm 4. 


Algorithm 4 Recover the initial state CIS. 

Input: Common Internal State CIS", corresponding message M 
Output: Common Internal State CIS 
1: function recover-CIS(C7S"', M) 

2: for 1 < * < 16 cj do 

3: Compute ti from CIS" and M, 

4: T 1 = T B d tiB d ■ ■ ■ B d tie^ 

5: CIS <r- (CIS^capacitylp- 1 (CIS') ra te © T’ 

6: return CIS 
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3.7 Key recovery 

Once the internal state CIS has been successfully recovered, one can retrieve 
the master key K by simply inverting the 7r-function, as described by Line 13 of 
Algorithm 1. 


3.8 About the use of SMN 

The above described analysis supposes that no secret message number is used. 
This is a legitimate assumption, as \SMN\ = 0 is a valid scenario mentioned in 
the cipher’s proposal. Our attack can be easily extended to the case when an 
SMN is used if one supposes that this number is known to the attacker together 
with the plaintext. In the case that the knowledge of SMN is not available to 
the attacker, our analysis fails. However, it is still possible to mount a forgery 
attack in this case. 

More precisely (see Figure 2), if one is given an m-block message M with 
associated data AD and the corresponding tag T, one can easily construct a 
forgery as follows. Suppose that the new message Mf° raed has (to + 1) blocks 
where the first to blocks are identical to the first to blocks of M (i.e., M is a 
prefix of M^ oraed ) and the last block of Mf° raed is any fixed value. We follow the 
steps of Algorithm 1 with message M up to Step 8. At this point we intend to 
recover ctr. However, we cannot follow the same strategy as the one followed in 
Algorithm 1 since CIS cannot be recovered without the knowledge of SMN. But 
we can use the value of C s which is the output of the SMN processing branch (see 
Figure 2). So basically we guess ctr to determine CIS” as before. Subsequently, 
we ascertain the value ctr by exploiting the relation (j : -1 (CIS")) ra te = C s . Since 
at this point, ctr is known, we can easily compute f m +i and thus, the new tag 
Tforged w iH be given by T 53 t m+ 

4 Key Recovery Attack against Full Round Lightweight 
Version of 7r-Cipher 

We argue here that the previously presented attack against various versions of 
the 7r-Cipher CAESAR candidate, completely breaks the lightweight version [10] 
of the same cipher, where the number of rounds is reduced to 2. 

The only difference with the previous attack is that, as the number of rounds 
is reduced, the guess and determine part of the attack is slightly modified to fit 
this reduction. This part, depicted at the left part of Figure 7 is described by the 
following steps: 

1. Use A'i and G to determine D\. 

2. Use K 2 and G to determine D 2 . 

3. Use Di and Si to determine D 3 . 

4. Use D\ and D 2 to determine Zbj. 

5. Use D 3 and D 4 to determine D$. 
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6 . Use D 5 and S± to determine Dq. 

After the chunk I\ has been determined, the other chunks 12,^3 and J 4 
can be derived by further guessing the value of O 4 , as shown at the right part 
of Figure 7. The other steps of the attack remain unchanged, thus we ignore their 
full description. 


Phase 1 Phase 2 



Fig. 7. Guess and determine phases for the attack on lightweight 7r-Cipher variants. 


5 Complexity Analysis 

Time complexity. The two steps of the attack with the highest time complexity 
are the guess and determine step, and the intersection of lists. The guess and 
determine step involves 16w lists and we evaluate the 7r-function 2 4u times for 
each list. This gives a time complexity of 16 u> x 2 4u evaluations of the 7 r-function. 

Each list will be stored as a bit-field: we use an array of 2 4uj bits, where a 
bit b is set to one if and only if the value b is in the list. This allows to compute 
the intersection of two lists efficiently, with only 2 4uj bit-operations. We have to 
compute 64w 2 list intersections at Line 4 of Algorithm 1 . This amounts to a total 
complexity of 64w 2 x 2 4 “ bit-operations. 

Since a computation of the 7 r-function obviously requires more than 4w bit- 
operations, we will neglect the time complexity of lists intersection, and the 
total complexity is 16w x 2 4u evaluations of the 7 r-function. This leads to a time 
complexity of 2 72 when u> = 16 and 2 137 when ui = 32. 
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Memory complexity. The memory complexity of the attack comes from the 
storage of lists. As explained above, each list £, takes only 2 4w bits, for a total 
storage of 16w x 2 4uj bits. On the other hand, lists £' 0 and C! x contain 2 4uj values 
of 16u) bits, so we must store the full values. We can store a single list, and 
compute the intersections with the second list on the fly, so that this step also 
requires 16w x 2 4uJ bits of storage. 

For uj = 16 this leads to a memory complexity of 2 69 bytes, while for oj = 32, 
we need to store 2 134 bytes. 

Table 2 presents a summary of our attacks on different variants of 7r-Cipher. 
The last three columns of this table contain the time, data and memory com¬ 
plexities of the attacks. 


Table 2. Summary of our attacks against different variants of 7r-Cipher. The data 
complexity is counted as the number of known plaintexts. The minimal number of 
blocks of each plaintext is denoted in the parenthesis. 


Version 

Variant 

Word 

Security 

Rounds 

Time 

Data 

Memory 

size to 

Claim 

Attacked 


(# KP) 

(bytes) 

vl &: v2 

7rl6-Cipher096 

16 

96 

2.5/3 

—2 72_ 

1 (256 B) 

2 s9 

vl 

7rl6-Cipherl28 

16 

128 

2.5/4 

2 72 

1 (256 B) 

2 69 

7r32-Cipher256 

32 

256 

2.5/4 

2 137 

1 (512 B) 

2 134 

Lightweight 

7rl6-Cipher096 

16 

96 

2/2 

2 72 

1 (256 B) 

2 69 

7r 16-Cipher 128 

16 

128 

2/2 

2 72 

1 (256 B) 

2 69 


6 Conclusion 

In this work we provided an analysis of the security level offered by the 7r-Ciplier 
family of authenticated ciphers. The designers of 7r-Cipher decided to decrease 
the number of rounds of the 7r-function from 4 to 3 for the second round of the 
CAESAR competition and to consider only 2 rounds for the recently proposed 
lightweight version. However, when reducing the number of rounds, special care 
must be taken, as this can lead to a dangerous reduction of the security margin 
offered by the new variants. 

Our results indicate that 7r-Cipher, whose round function is reduced to 2.5 
rounds, is vulnerable against guess and determine attacks. More precisely, we 
manage to recover the secret key in three reduced-round versions of the 7r-Cipher 
as well as in the two lightweight variants of the cipher. Taken together, these 
results suggest that the decision taken by the designers to reduce the number of 
rounds for the candidates of the second round of the CAESAR competition as 
well as for the lightweight version was risky. 

In this work, we focused on the application of deterministic guess and de¬ 
termine properties. As a possible direction for future research, one can explore 
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other guess and determine methods for breaking the full version of the cipher. 
Alternatively, it would be also challenging to see if the analysis of the properties 
of the © operation could lead to the extension of our attack to an extra half 
round. Furthermore, a question that naturally arises after this analysis is whether 
increasing the number of rounds of the cipher is the only remedy to resist to our 
attack, or whether there is another tweak that could be applied to render the 
cipher immune against such type of cryptanalysis. 
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